AD RMS and Active Directory Objects

Applies To: Windows Server 2008, Windows Server 2008 R2

Microsoft Active Directory Domain Services (AD DS) is a Windows-based directory service. AD DS stores information about objects on a network and makes this information available to users and network administrators. For example, these objects can include user and computer accounts. AD DS is a requirement for installing and implementing AD RMS.

The following table summarizes the required and optional AD DS user and computer objects for an AD RMS implementation.

Active Directory Object

Description

Remarks

AD RMS Servers Computer Accounts

All servers in the AD RMS Certification/Licensing cluster must be Active Directory domain members

The computer on which you are installing AD RMS must be a member server in a domain, or it must be a domain controller. You cannot deploy AD RMS on a server that is part of a workgroup. These accounts and objects are created automatically when the computer is joined to a domain.

For security and scalability reasons, this account does not need to have extra privileges, such as domain administrator. Make it a member of domain users only or local administrator in each AD RMS cluster node.

AD RMS Service Account

Create a dedicated user account to use as the AD RMS service account. For security reasons, it is strongly recommended that you create a special user account used exclusively as the AD RMS service account.
.

For security and scalability reasons, do not use the local SYSTEM user account.

This account does not need to have extra privileges, such as domain administrator or local administrator. Make it a member of domain users only.

This account is assigned the required rights during server installation.

SQL Service Account

Create a dedicated user account to use as the SQL service account. For security reasons, it is strongly recommended that a special user account be used exclusively as the SQL service account.
.

For security and scalability reasons, do not use the local SYSTEM user account.